SPDY68 / POST to proxy / nginx worker segfault

nginx 1.3.14, SPDY patch version 68.

Sitting in front of a PGP keyserver, with configuration as below, if I
have “spdy” on the “listen” lines, then Chrome gets an error for no data
returned and I get errors in errorlog:

2013/03/12 18:08:43 [alert] 8546#0: worker process 8815 exited on signal
11
2013/03/12 18:09:35 [alert] 8546#0: worker process 9085 exited on signal
11
2013/03/12 18:09:36 [alert] 8546#0: worker process 9089 exited on signal
11

Below, nginx version output, nginx.conf server block, and curl output
from a working query when SPDY is enabled but not used (because it’s
curl), over https.

(The server in this case has a cert from my private CA
https://www.security.spodhuis.org/ has details, including PGP
signature, if anyone wants to verify)

----------------------------8< cut here >8------------------------------

nginx -V

nginx version: nginx/1.3.14
TLS SNI support enabled
configure arguments: --prefix=/usr/local/etc/nginx --with-cc-opt=‘-I
/usr/local/include’ --with-ld-opt=‘-L /usr/local/lib’
–conf-path=/usr/local/etc/nginx/nginx.conf
–sbin-path=/usr/local/sbin/nginx --pid-path=/var/run/nginx.pid
–error-log-path=/var/log/nginx-error.log --user=www --group=www
–with-file-aio --with-ipv6 --with-google_perftools_module
–http-client-body-temp-path=/var/tmp/nginx/client_body_temp
–http-fastcgi-temp-path=/var/tmp/nginx/fastcgi_temp
–http-proxy-temp-path=/var/tmp/nginx/proxy_temp
–http-scgi-temp-path=/var/tmp/nginx/scgi_temp
–http-uwsgi-temp-path=/var/tmp/nginx/uwsgi_temp
–http-log-path=/var/log/nginx-access.log
–add-module=/usr/ports/www/nginx-devel/work/giom-nginx_accept_language_module-02262ce
–add-module=/usr/ports/www/nginx-devel/work/samizdatco-nginx-http-auth-digest-bd1c86a
–with-http_dav_module --with-http_gunzip_module
–with-http_stub_status_module
–add-module=/usr/ports/www/nginx-devel/work/masterzen-nginx-upload-progress-module-a788
dea
–add-module=/usr/ports/www/nginx-devel/work/nginx_upstream_fair-20090923
–add-module=/usr/ports/www/nginx-devel/work/nginx_upstream_hash-0.3.1
–add-module=/usr/ports/www/nginx-devel/work/nginx-sticky-module-1.0
–add-module=/usr/ports/www/nginx-devel/work/simpl-ngx_devel_kit-48bc5dd
–add-module=/usr/ports/www/nginx-devel/work/agentzh-encrypted-session-nginx-module-c752861
–add-module=/usr/ports/www/nginx-devel/work/arut-nginx-let-module-a5e1dc5
–with-pcre
–add-module=/usr/ports/www/nginx-devel/work/agentzh-set-misc-nginx-module-658c235
–add-module=/usr/ports/www/nginx-devel/work/yaoweibin-nginx_tcp_proxy_module-b83e5a6
–with-http_spdy_module --with-http_ssl_module
----------------------------8< cut here >8------------------------------

----------------------------8< cut here >8------------------------------
server {
# need default_server for SNI to work with session resumption,
unless
# you accept the same SSL cache. Hrm. We do, for now.
listen 94.142.241.93:443 ssl;
listen [2a02:898:31:0:48:4558:73:6b73]:443 ssl;
server_name sks.spodhuis.org;

    ssl on;
    ssl_certificate     /www/conf/tls/ssl-sks-web.crt;
    ssl_certificate_key /www/conf/tls/ssl-sks-web.key;
    ssl_verify_client   off;

    access_log  /var/log/nginx/sks-tls.log  combine-tls;

    location / {
        root    /www/sites/sks.spodhuis.org/content;
        index   index.html;
    }

    location ~ /\. {
        deny  all;
    }

    location /pks {
        proxy_pass         http://127.0.0.1:11371;
        proxy_pass_header  Server;
        add_header         Via "1.1 sks.spodhuis.org:443 (nginx)";
        proxy_ignore_client_abort on;
    }

    location /sks-peers {
        proxy_pass          http://127.0.0.1:8001;
        proxy_set_header    X-Real-IP $remote_addr;
    }
}

----------------------------8< cut here >8------------------------------

% gpg -a --export $gpg_key_work | curl --data-urlencode keytext@- -vs
https://sks.spodhuis.org/pks/add 2>&1 | pbcopy
----------------------------8< cut here >8------------------------------

  • About to connect() to sks.spodhuis.org port 443 (#0)
  • Trying 2a02:898:31::48:4558:73:6b73…
  • Failed to connect to 2a02:898:31::48:4558:73:6b73: No route to host
  • Trying 94.142.241.93…
  • Connected to sks.spodhuis.org (94.142.241.93) port 443 (#0)
  • successfully set certificate verify locations:
  • CAfile: /opt/local/share/curl/curl-ca-bundle.crt
    CApath: none
  • SSLv3, TLS handshake, Client hello (1):
    } [data not shown]
  • SSLv3, TLS handshake, Server hello (2):
    { [data not shown]
  • SSLv3, TLS handshake, CERT (11):
    { [data not shown]
  • SSLv3, TLS handshake, Server key exchange (12):
    { [data not shown]
  • SSLv3, TLS handshake, Server finished (14):
    { [data not shown]
  • SSLv3, TLS handshake, Client key exchange (16):
    } [data not shown]
  • SSLv3, TLS change cipher, Client hello (1):
    } [data not shown]
  • SSLv3, TLS handshake, Finished (20):
    } [data not shown]
  • SSLv3, TLS change cipher, Client hello (1):
    { [data not shown]
  • SSLv3, TLS handshake, Finished (20):
    { [data not shown]
  • SSL connection using ECDHE-RSA-AES128-SHA256
  • Server certificate:
  • subject: C=NL; ST=Noord Holland; O=GlobNIX Systems;
    CN=sks.spodhuis.org; [email protected]
  • start date: 2011-08-10 04:59:54 GMT
  • expire date: 2013-05-01 04:59:54 GMT
  • subjectAltName: sks.spodhuis.org matched
  • issuer: C=US; O=GlobNIX Systems; OU=Certification Authority;
    CN=GlobNIX Certificate Authority 3;
    [email protected]
  • SSL certificate verify ok.

POST /pks/add HTTP/1.1
User-Agent: curl/7.29.0
Host: sks.spodhuis.org
Accept: /
Content-Length: 18437
Content-Type: application/x-www-form-urlencoded
Expect: 100-continue

< HTTP/1.1 100 Continue
} [data not shown]
< HTTP/1.1 200 OK
< Date: Tue, 12 Mar 2013 18:22:58 GMT
< Content-Type: text/html; charset=UTF-8
< Content-Length: 129
< Connection: keep-alive
< Server: sks_www/1.1.4
< Cache-Control: no-cache
< Pragma: no-cache
< Expires: 0
< X-HKP-Results-Count: 1
< Via: 1.1 sks.spodhuis.org:443 (nginx)
<
{ [data not shown]

Key block added to key server database. New public keys added:
1 key(s) added successfully.
----------------------------8< cut here >8------------------------------

On Tuesday 12 March 2013 22:24:45 Phil P. wrote:

Below, nginx version output, nginx.conf server block, and curl output
from a working query when SPDY is enabled but not used (because it’s
curl), over https.

(The server in this case has a cert from my private CA
https://www.security.spodhuis.org/ has details, including PGP
signature, if anyone wants to verify)

[…]

Thank you for the report. This issue should be fixed now in:
http://nginx.org/patches/spdy/patch.spdy-69_1.3.14.txt

wbr, Valentin V. Bartenev


http://nginx.org/en/donation.html

On 2013-03-13 at 03:14 +0400, Valentin V. Bartenev wrote:

Thank you for the report. This issue should be fixed now in:
http://nginx.org/patches/spdy/patch.spdy-69_1.3.14.txt

Fix confirmed, works for me.

Thanks for the prompt fix!
-Phil